[geeklog-cvs] geeklog: Fixed viewing of an article if the user did not have ac...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Wed Apr 25 10:54:17 EDT 2012 

changeset 8624:67f6783ca6c5
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/67f6783ca6c5
user: Tom <websitemaster at cogeco.net>
date: Tue Apr 24 10:21:31 2012 -0400
description:
Fixed viewing of an article if the user did not have access to other topics that the article belong too
Added permission checking to breadcrumbs. A Breadcrumb will now not display if a user does not have access to the topic

diffstat:

 system/classes/story.class.php |  18 ++++++++----------
 system/lib-topic.php           |  17 ++++++++++++-----
 2 files changed, 20 insertions(+), 15 deletions(-)

diffs (88 lines):

diff -r 92b9809e7fd6 -r 67f6783ca6c5 system/classes/story.class.php
--- a/system/classes/story.class.php	Sun Apr 22 20:12:05 2012 +0100
+++ b/system/classes/story.class.php	Tue Apr 24 10:21:31 2012 -0400
@@ -596,7 +596,14 @@
                             $story['perm_members'], $story['perm_anon']);
                 
                 //$this->_access = min($access, SEC_hasTopicAccess($this->_tid));
-                $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+                //$this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+                if ($mode != 'view') {
+                    // When editing an article they need access to all topics article is assigned to plus edit access to article itself
+                    $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+                } else {
+                    // When viewing a article we only care about if it has access to the current topic and article
+                    $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid, $topic));
+                }
 
                 if ($this->_access == 0) {
                     return STORY_PERMISSION_DENIED;
@@ -634,15 +641,6 @@
                 $this->_comment_expire = 0;
             }
 
-            /* Tom
-            if (DB_getItem($_TABLES['topics'], 'archive_flag', "tid = '{$this->_tid}'") == 1) {
-                $this->_frontpage = 0;
-            } elseif (isset($_CONF['frontpage'])) {
-                $this->_frontpage = $_CONF['frontpage'];
-            } else {
-                $this->_frontpage = 1;
-            }
-            */
             if (isset($_CONF['frontpage'])) {
                 $this->_frontpage = $_CONF['frontpage'];
             } else {
diff -r 92b9809e7fd6 -r 67f6783ca6c5 system/lib-topic.php
--- a/system/lib-topic.php	Sun Apr 22 20:12:05 2012 +0100
+++ b/system/lib-topic.php	Tue Apr 24 10:21:31 2012 -0400
@@ -563,11 +563,12 @@
 * (need to handle 'all' and 'homeonly' as special cases)
 *
 * @param    string          $type   Type of object to find topic access about. If 'topic' then will check post array for topic selection control 
-* @param    string/array    $id     ID of object to check topic access for
+* @param    string/array    $id     ID of object to check topic access for (not requried if $type is 'topic')
+* @param    string/array    $tid    ID of topic to check topic access for (not requried and not used if $type is 'topic')
 * @return   int                     returns 3 for read/edit 2 for read only 0 for no access
 *
 */
-function TOPIC_hasMultiTopicAccess($type, $id = '')
+function TOPIC_hasMultiTopicAccess($type, $id = '', $tid = '')
 {
     global $_TABLES;
     
@@ -604,7 +605,10 @@
     } else {
         // Retrieve Topic options
         $sql = "SELECT tid FROM {$_TABLES['topic_assignments']} WHERE type = '$type' AND id ='$id'";
-    
+        if ($tid != '') {
+            $sql .=  " AND tid = '$tid'";
+        }
+        
         $result = DB_query($sql);
         $A = DB_fetchArray($result);
         $nrows = DB_numRows($result);
@@ -623,6 +627,7 @@
                 $A = DB_fetchArray($result);
                 $tid = $A['tid'];
             }
+
             $current_access = SEC_hasTopicAccess($tid);
             if ($access > $current_access) {
                 $access = $current_access;
@@ -1285,10 +1290,12 @@
                                     'breadcrumb_t' => 'breadcrumb.thtml'));        
     
     if ($type == 'topic') {
-        $sql = "SELECT tid FROM {$_TABLES['topics']} WHERE tid = '{$id}'";
+        $sql = "SELECT tid FROM {$_TABLES['topics']} 
+            WHERE tid = '{$id}'" . COM_getPermSQL('AND', 0, 2);
     } else {
         // Retrieve all topics assignments that point to this object
-        $sql = "SELECT tid FROM {$_TABLES['topic_assignments']} WHERE type = '{$type}' AND id = '{$id}'";
+        $sql = "SELECT ta.tid FROM {$_TABLES['topic_assignments']} ta, {$_TABLES['topics']} t 
+            WHERE ta.type = '{$type}' AND ta.id = '{$id}' and t.tid = ta.tid" . COM_getPermSQL('AND', 0, 2, 't');
     }
     $result = DB_query($sql);
     $nrows = DB_numRows($result);

More information about the geeklog-cvs mailing list